After nginx upgrade, error: cannot load certificate ssl/ispserver.crt

Discussion in 'Installation/Configuration' started by skysky, Mar 25, 2022.

  1. skysky

    skysky Member

    I am testing to upgrade my ispconfig server Ubuntu nginx 1.18 to 1.20.2 stable ver on my testing server (not production)

    after upgrade done,
    nginx -v
    nginx version: nginx/1.20.2

    nginx -t shows below config errors: what should I do to fix them?
    nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
    2022/03/25 18:46:27 [warn] 12901#12901: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
    2022/03/25 18:46:27 [warn] 12901#12901: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/roundcube.vhost:5
    2022/03/25 18:46:27 [emerg] 12901#12901: cannot load certificate "/usr/local/ispconfig/interface/ssl/ispserver.crt": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:permission denied:fopen('/usr/local/ispconfig/interface/ssl/ispserver.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
    nginx: configuration file /etc/nginx/nginx.conf test failed


    sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
    Import an official nginx signing key so apt could verify the packages authenticity. Fetch the key:

    curl | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
    Verify that the downloaded file contains the proper key:

    gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
    The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:

    pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
    uid nginx signing key <[email protected]>
    If the fingerprint is different, remove the file.

    To set up the apt repository for stable nginx packages, run the following command:

    echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

    echo -e "Package: *\nPin: origin\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx

    Now update it
    $ sudo apt-get update

    Run install
    $ sudo apt-get install nginx

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This can't work as the Nginx third-party repository you used runs nginx under the wrong user 'nginx' and is therefore not a compatible replacement for the nginx that ships with Ubuntu, which runs as 'www-data'. But you know that already as you asked the same thing here and I told you that it will not work:
    So if you want to make this work, then you'll have to modify the nginx you downloaded now to behave like the one from ubuntu and run it as user www-data.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If you wish to test any of your websites with the latest version of nginx and ISPConfig, preferably in a new test vm or something, the only repository that I think might work (it might not work or there might still be some issues / hassles you'll need to attend and you need good knowledge and experience to handle that) is Ondrej Sury's PPA nginx stable or mainline.

    However, I'd prefer you follow @till advise in this or the other thread because to me the main reason is very clear that you do not have the necessary knowledge or understanding or experience to troubleshoot and run the bleeding edge version of it.

    The version that comes with your OS distribution (Ubuntu 18.04) is good enough and you can also upgrade your server to 20.04 if you need the one with more recent patches. Do remember that most of the time what you really need is stability so be wise.

Share This Page